diff --git a/system/blueprints/config/security.yaml b/system/blueprints/config/security.yaml index b309f1168..9f7241657 100644 --- a/system/blueprints/config/security.yaml +++ b/system/blueprints/config/security.yaml @@ -4,7 +4,7 @@ form: validation: loose fields: - security_section: + xss_section: type: section title: PLUGIN_ADMIN.XSS_SECURITY underline: true @@ -82,3 +82,18 @@ form: validate: type: commalist + uploads_section: + type: section + title: PLUGIN_ADMIN.UPLOADS_SECURITY + underline: true + + + uploads_dangerous_extensions: + type: selectize + size: large + label: PLUGIN_ADMIN.UPLOADS_DANGEROUS_EXTENSIONS + help: PLUGIN_ADMIN.UPLOADS_DANGEROUS_EXTENSIONS_HELP + classes: fancy + validate: + type: commalist + diff --git a/system/config/security.yaml b/system/config/security.yaml index fce3e3f9b..77e5de0d8 100644 --- a/system/config/security.yaml +++ b/system/config/security.yaml @@ -23,4 +23,9 @@ xss_dangerous_tags: - bgsound - title - base - +uploads_dangerous_extensions: + - php + - html + - htm + - js + - exe diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php index b4d7accee..ec6993be9 100644 --- a/system/src/Grav/Common/Utils.php +++ b/system/src/Grav/Common/Utils.php @@ -573,6 +573,13 @@ abstract class Utils */ public static function checkFilename($filename) { + $dangerous_extensions = Grav::instance()['config']->get('security.uploads_dangerous_extensions', []); + array_walk($dangerous_extensions, function(&$val) { + $val = '.' . $val; + }); + + $extension = '.' . pathinfo($filename, PATHINFO_EXTENSION); + return !( // Empty filenames are not allowed. !$filename @@ -581,7 +588,7 @@ abstract class Utils // Filename should not start or end with dot or space. || trim($filename, '. ') !== $filename // Filename should not contain .php in it. - || strpos($filename, '.php') !== false + || static::contains($extension, $dangerous_extensions) ); }